SaMD Risk Categories I–IV & When FDA Review Is Required

TL;DR: The IMDRF’s SaMD risk framework ranks software from Category I (low risk) to Category IV (highest risk):

• Category I: Inform clinical management

• Category II: Drive clinical management

• Category III: Diagnose or recommend action

• Category IV: Treat or manage critical conditions

  
  

FDA review typically kicks in from Category II onward. But not all categories map cleanly to FDA classes—read on to see how they align.

Why SaMD Risk Categories Matter

If you’re building medical software, understanding risk categorization isn’t optional—it’s the starting line.

Yet many teams confuse the IMDRF’s I–IV system with the FDA’s Class I–III device classification. They’re related—but not interchangeable. This confusion leads to:

• Wrong assumptions about whether 510(k) is needed

• Missed regulatory deadlines

• Unnecessary overregulation (or worse—underregulation)

  
  

Let’s clear it up.

IMDRF’s SaMD Risk Framework Explained

The International Medical Device Regulators Forum (IMDRF) created the SaMD risk framework (N41) to help regulators around the world evaluate medical software consistently.

It sorts software into four categories (I–IV) based on:

1. The significance of the information provided by the software (Inform → Drive → Diagnose/Treat)

2. The state of the healthcare condition it addresses (Non-serious → Serious → Critical)

   
   

This framework is widely adopted—not just by the FDA, but also in the EU, Japan, Australia, and Canada.

Understanding the Four SaMD Categories

Here’s what each category means:

Category I — “Inform”

• Software informs clinical management

• Low-risk context (e.g., mild acne, general wellness)

  
  

Category II — “Drive”

• Software influences decisions

• Used in non-critical or moderate conditions

  
  

Category III — “Diagnose”

• Supports diagnosis or staging of serious conditions

• Used to guide treatment decisions

  
  

Category IV — “Treat / Critical”

• Software treats or directly manages life-threatening conditions

• Highest consequence if it malfunctions

IMDRF SaMD Categories Table

Mapping IMDRF Categories to FDA Device Classes

This is where things get tricky.

The FDA doesn’t officially “translate” IMDRF categories into Class I/II/III. But in practice, this is how things tend to map:

Category I → FDA Class I

• Most exempt from premarket review

• May fall under enforcement discretion

• Example: a stress-level tracker using survey data

  
  

Category II–III → FDA Class II

• Often require 510(k) or De Novo submissions

• Example: software that flags early signs of diabetic retinopathy

  
  

Category IV → FDA Class III

• Require PMA (Premarket Approval)

• Often need clinical trials or real-world evidence

• Example: adaptive software that personalizes chemotherapy regimens

  
  

Which Categories Trigger FDA Review?

Here’s the general rule of thumb:

Category I

✅ Often exempt

⚠️ But don’t assume—check intended use carefully

📝 May still need listing or enforcement policy analysis

Category II & III

🚩 Typically require 510(k)

🧪 May need performance or clinical validation

Category IV

🔒 Requires PMA

📊 Extensive safety, efficacy, and risk documentation expected

Note: FDA exceptions exist. Always verify with a regulatory expert—or use Complizen to guide you.

FAQs

Q: What’s the difference between IMDRF and Rule 11 (EU MDR)?

Rule 11 is a software-specific risk rule under EU MDR. IMDRF is a global framework. Many Notified Bodies use both to cross-reference decisions.

Q: Do SaMD risk categories apply under EU MDR?

They’re not official in the EU—but they're widely referenced by regulators, notified bodies, and guidance bodies when evaluating software claims.

Q: Does the FDA ignore Category I?

Not always. FDA may exercise enforcement discretion, but if your app sounds remotely diagnostic or therapeutic, you’ll still need to clarify classification.